Stage and launch a malicious Excel document

Stages and opens a macro-enabled Excel document. The macro loads Operator network config facts from a previously staged file, then executes mshta.exe to run a malicious HTA file hosted on Operator. The HTA then downloads and executes a seconardy Pneuma agent.
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.


Test this TTP

Download Operator (1.7.1)
Test this TTP using one of our Operator chains
APT40 defense industry


Emulating APT40's multi-stage macro-enabled documents.